We’re living in an interconnected world which offers a lot of conveniences. We can use Google, Facebook, OAuth to connect us to online services and apps. The downside is that there are more “bad actors” trying to trick us and gain access to our info. Recently, there was a very effective phishing scam involving Google Docs. While I wasn’t impacted, it did make me check my Google Security Settings to see who has access.
Granting Google Access
You’ve probably noticed that when you sign up for some services, you’re asked to give access to your Google account. This often makes it easier, so you don’t have to remember another password. Or, it could be the service needs to access some Google service or component like your contacts, Google Analytics, Google Calendar and so on. It’s become so familiar that we seldom pause when granting access. Our goal is just to use the service or app.
In the recent attack, you might have received an email indicating a friend had given you access to a Google Doc. Since you knew the individual, you clicked through and saw a familiar dialog.
The problem was this “Google Docs” reference wasn’t the Google Docs we know and use. It was a cleverly designed fraud. As a result, if you clicked ALLOW, the perpetrator got access to your email and contacts. They then sent a similar email to your contacts saying you had a document to share with them. And because you’re already signed into Google, this exploit bypassed any “Two-Factor Authorization” (2FA) you might be using.
Who Has Access Now to Your Google Account?
While this phishing attack didn’t hit me, it did make me review who I have granted access. It was enlightening as there were services that I’ve stopped using. And some that I couldn’t place. It gave me an opportunity to remove apps.
To check your Google account access,
- Go to https://myaccount.google.com/permissions
- You’ll see a list of current services (1) you’ve allowed and their permissions (2). In my example below, you’ll see they’re not all Google apps. I have an Amazon Echo (3) which can access certain features. I can say, “Alexa what’s my next appointment?”, and she reads my Google Calendar.
- If you see an item that you don’t need or recognize, you can click it to get more details. The panel will expand with more information including the app’s name (1), access rights (2) and date you approved access (3).
- In this case, I know the Optimizely app, but I no longer need the functionality so I can click the REMOVE button to revoke access.
Levels of Access
As you can see above, there are multiple access levels. Some access is minimal, whereas other apps have “full access”. Full access isn’t entirely correct as these apps can’t delete your account or make purchases with Google Wallet. You need to be very careful and trust the apps that have this level of access.
Another item to review is whether an app has “read and write access”. Many legitimate apps do. For example, you may have a phone app that automatically updates Facebook with how many miles you ran or your sleep.
My rule of thumb is if you don’t know the app, remove it. If revoking access breaks something, the app will let you know it needs to reauthorize.
What is this App or Service?
The biggest issue I’ve encountered is not recognizing an app or service. For example, I spotted this one – Project Default Service Account.
I haven’t a clue what it is even considering the Authorization date. If I Google Project Default Service Account, I see several suggestions.
- A developer who used a default name when generating an application using the Android SDK.
In this case, I’ll remove the authorization and see if some app screams. Better safe than sorry.
This tutorial just focused on Google Account security. Now, might be the time to go look at other services you use such as Facebook to see if the same problems exist.